Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The following incidents were mentioned in the March 14, 1994 Modesto Bee. - Laurie Powell joined an on-line service to discuss the joys and pitfalls of raising children. An elusive cyberstalker called Vito has threatened her life, sent her pornographic e-mail and may be following her around the country. - Larry Greenberg of New York could have lost his job when someone sent his boss a fax from a phony law firm accusing him of being a convicted rapist and child molester. Greenberg suspects the fax was sent by an on-line foe. - A 14-year-old New Jersey girl was forced off the network last month after continuing to receive unwanted computer-generated sexual images of young boys. - Evelyn McHugh, a New Jersey housewife, discovered a Chicago man was sending obscene messages in her name. - A 14-year-old Boston boy disappeared after running away to meet a man in Texas who sent him on-line love letters and airline tickets. Erskine Widemon
This has absolutely nothing to do with computers, but it is heartening to know that our industry isn't the only one that does foolish things. — Mark ----- Begin Included Message ----- The Farside comes to life in Oregon. I am absolutely not making this incident up; in fact I have it all on videotape. The tape is from a local TV news show in Oregon, which sent a reporter out to cover the removal of a 45-foot, eight-ton dead whale that washed up on the beach. The responsibility for getting rid of the carcass was placed on the Oregon State Highway Division, apparently on the theory that highways and whales are very similar in the sense of being large objects. So anyway, the highway engineers hit upon the plan--remember, I am not making this up--of blowing up the whale with dynamite. The thinking is that the whale would be blown into small pieces, which would be eaten by seagulls, and that would be that. A textbook whale removal. So they moved the spectators back up the beach, put a half-ton of dynamite next to the whale and set it off. I am probably not guilty of understatement when I say that what follows, on the videotape, is the most wonderful event in the history of the universe. First you see the whale carcass disappear in a huge blast of smoke and flame. Then you hear the happy spectators shouting "Yayy!" and "Whee!" Then, suddenly, the crowd's tone changes. You hear a new sound like "splud." You hear a woman's voice shouting "Here come pieces of...MY GOD!" Something smears the camera lens. Later, the reporter explains: "The humor of the entire situation suddenly gave way to a run for survival as huge chunks of whale blubber fell everywhere." One piece caved in the roof of a car parked more than a quarter of a mile away. Remaining on the beach were several rotting whale sectors the size of condominium units. There was no sign of the seagulls who had no doubt permanently relocated to Brazil. This is a very sobering videotape. Here at the institute we watch it often, especially at parties. But this is no time for gaiety. This is a time to get hold of the folks at the Oregon State Highway Division and ask them, when they get done cleaning up the beaches, to give us an estimate on the US Capitol. Tom Mahoney, #9, Coast Guard Sqn.1/Div.13 CatLo ----- End Included Message -----
The following appeared in the New York Times on Tuesday, March 1, front page
of the Metro Section (page B1). I haven't seen reference to this in Risks
digests since then. And if there's been anything about it since in the local
press, I've missed it.
My comments and questions:
- Anyone know more about this than appeared in the Times?
- Those with the *technical* ability to affect Board of Ed funding had no
*legal* authority to do so. The design of the system - and its security - does
not reflect the legal and political boundaries of the organizations it's
supposed to serve.
- Probably easy to overlook one budget code out of "399 different budget
categories." Unless they were informed by the administration, the agency and
personnel who actually installed the change probably didn't know its full
impact. They were "just following orders" ...
- The funds were not just "frozen" they were "transferred" to another account.
I think the technical term is "stealing"? - The Mayor, his administration,
and the City Comptroller violated state law. Are there computer-specific laws
they may also have broken? Wire fraud, for example?
Giuliani Tries Electronic School-Spending Freeze, by Josh Barnabel
Without warning the Board of Education, the Giuliani administration
last week loaded software on a computer accounting system to block spending
on school supplies. But the administration reversed the spending freeze
after the Board considered legal action ...
School officials said they discovered that the $68 million spending
freeze had been imposed only when budget analysts ... noticed that spending
authorizations were rejected by the city's accounting system for lack of
funds ...
At the direction of the Mayor and the city's Comptroller, the
[Financial Information Services Agency] loaded new software on the city's
accounting system after business hours on Thursday. The software sent
instructions to the city's computers blocking spending of 90 percent of the
available funds in 399 different budget categories for all city agencies,
from supplies and materials, to out-of-town travel, to temporary service and
consulting contracts.
The software in effect froze the school system's checking accounts,
and transferred the available balances into reserve accounts controlled by
the Mayor ...
The board receives less than half its money from city taxes, and is
not required to submit its detailed line-item budget to the Mayor or the
City for approval ...
>From COMMERCE BUSINESS DAILY, 940317 (Government notice of bids) < -------< Department of the Treasury (DY), Internal Revenue Service, Constellation Centre, 6009 Oxon Hill Rd., Rm. 700, M:P:O:S Oxon Hill, MD 20745 < 36 — REMOTE DIAL NUMBER RECORDERS SOL IRS-94-0051 POC Shirley Campbell, Contract Specialist, (202) 283-1144. The Internal Revenue Service intends to procure 28 remote telephone data collection units, including software. Capable of collecting and storing information from the target line on at least 700 telephone calls (time of call, length of call, number dialed, caller ID, call progress tone detection, etc.). The unit must be no larger than 5.9x1.5x3.2 inches. The unit is controlled and records are transmitted through the dial- up line through a computer modem. The instrument must be transparent to the target line. The unit will be powered through the dial-up line. 100% Small Business Set-Aside. Telephone requests for the solicitation package will not be accepted. (0075) [Great for identifying anonymous callers who request information on whether illegal acts must be declared, and other such revealing queries? PGN]
I recently registered for the upcoming Software Engineering Institute (SEI) Conference on Software Risk and provided my Master Card information for billing purposes. About a week later, I received a confirmation letter and receipt from the SEI; two days later, I received a second confirmation letter and receipt. Since the registration and payment numbers were different on the two receipts, I suspected a double booking/billing may have occurred, and called the SEI to rectify the problem. After looking into the situation, the SEI informed me that I had tripped a bug in a program which resulted in my being double registered, but *not* double billed. They assured me that I was the only one affected, and that the problem had indeed been resolved. Today I received two separate invitations to participate in an upcoming Software Engineering Process Group meeting. I am not planning to attend this particular event, but if anyone is interested in a "buy one, get one free" offer, please give me a call!
Yeah, we've beaten 911 problems to death historically, but it's a change from Clipper. :=) I have a friend. His family and mine are quite close. We call each other's houses daily, sometimes multiple times in one day. His phone number begins 591-1xxx. As you guessed, about once a month, something happens with the phone company switching, and we get 911--as a wrong number. So far the emergency response people have been quite nice about this, and I haven't seen any penalty-type charges on our phone bill. The risks: Aside from the obvious one, that we're discussing a safety-critical system, is the sheer volume of calls this represents. Ten thousand different phone numbers could get automatically diverted to 911. If we figure 500 hours each month when people are awake and calling (that's 16 a day), and each one gets redirected once a month, then 911 must be seeing a wrong number every three minutes! No wonder they're so nice about it... Richard Johnson (rdj@plaza.ds.adp.com) (richard@agora.rain.com)
RISKS-15.66 included a brief from "Network World," which referenced a story in the "Security Insider Report" suggesting that Aldrich Ames could have had access to Clipper's classified SKIPJACK algorithm or Clipper keys. A New York Times reporter asked me about this rumor a few weeks ago, and the whole idea struck me as so obviously absurd that I could hardly stop laughing. Nevertheless, I did check it out with people who would know. They confirmed what I thought. The whole rumor is total nonsense. What I don't understand is why people persist is spreading rumors and speculation that have no basis and don't even make sense. Dorothy Denning
This was in the TidBITS newsletter (#217/14-Mar-94). Evidently the AppleScript creators don't read this newsgroup... >**John Baxter** <jwbaxter@pt.olympus.net> writes: > I've run into something that grammar mavens may find interesting. > Consider this correct [English version] AppleScript code: > > tell word 4 of paragraph 2 of document 1 of application > "Scriptable Text Editor" > get it's text > end tell > > Here, Apple has managed to make AppleScript syntax so English-like > that it commits the all-too-common mistake of using "it's" instead > of "its" as the possessive. > > You can of course also write that statement as: > > get the text of it > > That sounds terribly stilted, but at least avoids the incorrect > use of the contraction in place of the possessive. One of the > amusing things is that Apple has the potential of running into > such problems in each language for which they provide an > AppleScript dialect.
> From: "George Feil" <feil@sbcm.com> > A news bulletin just in: A fire in a Pacific Bell switching complex > has knocked out local phone service to most of Los Angeles, CA. The fire's impact was considerably overstated by press accounts. It occurred in the downtown L.A. "Madison" C.O. complex (in particular, LSAN-0470T), which is one of several downtown high-rise switching centers. The fire knocked out primary and secondary power supplies that (unlike many of the other supplies in the building, apparently) were co-located. Failure of SS7 links caused disruption of interoffice service for customers whose local subscriber lines were served by that office, and wider disruption of 911 service throughout a broader portion of the L.A. area, since the citywide 911 center is downtown. There was also apparently some limited long-distance access problems to some areas for some carriers. Media and local telephone operators quickly began publicizing local direct dial emergency numbers to offset the 911 failure. There were no reports that I heard of any serious problems relating to the 911 disruption. Some operations were switched to secondary facilities in other areas. Outside of the 911 problems, most areas of the city and the surrounding metro area (except the immediate downtown area served by Madison) noticed few obvious effects. --Lauren--
For more info, contact Kurt Stammberger, RSA Data Security, Inc. 415/595-8782.
To download RSAREF and RIPEM, send any message to rsaref@rsa.com or ftp from
msu.edu
RSA DATA SECURITY ANNOUNCES DIGITAL SIGNATURE SOFTWARE THAT IS FREE AND LEGAL
WORLDWIDE
Information superhighway gets free tool to authenticate information;
an answer to Vice-president Gore's concerns over Internet break-ins
---------------------------------------------------------
Redwood City, Calif. (March 21, 1994) - RSA Data Security, Inc. announced
today a first: digital signature software that is both free and legal
worldwide.
RSA applied for and received a "commodities jurisdiction," or CJ for a
software package called RIPEM/SIG, which was built with RSA Data Security's
RSAREF toolkit, a freeware package. A CJ, which is a ruling that the software
falls under the Commerce Department's jurisdiction as opposed to the State
Department, allows RIPEM to be freely and legally exported. Further, RSA has
relaxed the use restrictions in its free crypto toolkit. RSAREF, and any
application built with it, may now be used in commercial settings as long as
it is not sold or used to provide a direct for-profit service.
Digital signatures are produced using the RSA cryptosystem, which is a
public-key cryptosystem. Each user has two keys - one public and one private.
The public key can be disclosed without compromising the private key. The RSA
cryptosystem was invented and patented in the late 1970's by Drs. Rivest,
Shamir, and Adleman at the Massachusetts Institute of Technology.
Electronic documents can be "signed" with an unforgeable "signature" by using
a document/private-key combination to produce a signature unique to the
author/document. Anyone, by using only RIPEM and the public key of the
author, can verify the authenticity of the document.
Applications of digital signatures are endless. One reason that the paperless
office has never materialized is that paper must still be printed so that
handwritten signatures can be applied. RSAREF and RIPEM solve that problem.
Expense reports, any electronic forms, administrative documents, even tax
returns can be electronically signed to speed electronic document flow and
eliminate fraud. Information on the Internet can be signed and verified to
prevent spoofing. Recently, unauthenticated messages at Dartmouth College
caused an important test to be cancelled; messages impersonating faculty were
sent out.
"Data mailed, posted, or put on servers on the Internet is inherently
untrustable today," said Jim Bidzos, president of RSA. "Tampering with
electronic documents takes no special skills, and leaves no trace. With the
availability of a free, legal, and exportable tool such as RIPEM, there's no
need for such a situation to continue. It can be used by individuals,
corporations, and government agencies at no cost."
In a February 4th announcement, Vice-president Gore stated that the recent
Internet break-ins could have been prevented with digital signatures. "Here
they are," said Bidzos. Recently, cryptography has caused clashes between
government and industry, over privacy issues, law enforcement concerns, and
export issues. "The US government has approved this software for export,"
said Bidzos. "Clearly, it's no threat to them. And it's free."
Digital signatures can also be used to detect any virus before a program is
executed, since any change whatsoever is detected.
The RIPEM application was developed using the RSAREF toolkit by Mark Riordan
of Michigan State University. A Macintosh version, developed by Ray Lau of
MIT, the author of the popular "Stufit" program, is also available. Versions
for DOS, Unix, and all popular platforms are supported. "PEM" stands for
Privacy Enhanced Mail, a published Internet standard for secure electronic
mail. Other innovative applications can also be built with RSAREF and
distributed at no cost. The full encryption-capable RIPEM is available only
in the US.
RSA digital signatures are a standard feature of Lotus Notes, the Apple System
7 Pro Operating System, Novell NetWare, Microsoft Windows at Work, Windows NT,
IBM System Security Products, DelRina PerformPro, WordPerfect InForms, SHANA
InFormed, BLOC F3 Forms, Fischer International Workflow, and numerous other
products. Over 3 million commercial products in the market today already use
RSA signatures under license from RSA Data. Other RSA licensees include
General Magic, Hewlett-Packard, Oracle, Unisys, DIgital Equipment Corp,
Motorola, and numerous others.
RSA Data Security, Inc. designs, develops, markets, and supports cryptographic
solutions toolkits and products. The company was founded by the inventors of
the RSA cryptosystem in 1982 and is headquartered in Redwood City, California.
CA-94:05 CERT Advisory
March 18, 1994
MD5 Checksums
This advisory gives the MD5 checksums for a number of SunOS files, along with
a tool for checking them. The checksums can be used to assure the integrity
of those files.
The CERT Coordination Center is distributing these checksums because of an
increasing number of incidents in which intruders who gain root access are
modifying system files to install Trojan horses.
Moreover, intruders are modifying files so that they have the same checksum as
the original file. This is possible because the standard "sum" program that
comes with most UNIX systems was designed to detect accidental modifications
to files and is not strong enough to prevent deliberate attempts to yield a
specific checksum. The MD5 algorithm by RSA Data Security, Inc. is
specifically designed to provide checksums that cannot be deliberately
spoofed. We strongly recommend that sites install the MD5 software and use it
to validate system software. More information on obtaining MD5 is given
below.
The list of checksums in Appendix B of this advisory is provided for your
convenience. In addition, we are providing a program that can assist you in
checking your MD5 output against the values in the database. This checksum
list is not complete. We have begun with a number of the more common
locations for Trojan horses that we have seen in connection with the
continuing "sniffer" attacks reported in CA-94:01 "Ongoing Network Monitoring
Attacks." We intend to work with all vendors to expand this list and make
more MD5 checksums widely available for anonymous FTP.
We encourage sites to consider installing a more complete package for
monitoring system integrity, such as Tripwire from the COAST project
(anonymous FTP on ftp.cs.purdue in "/pub/spaf/COAST/Tripwire") or the TIGER
system from TAMU (anonymous FTP on net.tamu.edu in "pub/security/TAMU").
We will maintain a file, CA-94:05.README, that will contain pointers to
additional databases and other updates as they become available.
[The entire Advisory is in RISKS-15.67MD5.
Contact the CERT for further information. PGN]
Please report problems with the web pages to the maintainer